VFAT is a yield Agrigator that uses the Natt Smart Contract Wallet for yield agriculture. Reduce complex tasks such as input and termination, complex or re -adjustment in the position.
VFAT conducted a security review of the VFAT protocol as a total time donation of 18 engineering days in the period between March 4 and March 28, 2025 to participate in Ackee Blockchain Security. Then the second security review focused on modifications of the problem found in the first security review. Other code changes were not thankful.
We are grateful for the optimism that approves subsidies that are partially funded for this and the second audit of VFAT.
methodology
We started reviewing using static analysis tools, including Wake. Then I dive about the logic of the contract.
During the review, we paid special attention later.
- The arithmetic guarantee of the system is correct.
- Reinvision detection possible in the code;
- Safety confirmation of using delegateCall;
- Access control is not too comfortable or strict.
- Accuracy confirmation of implementation of the possibility of upgrade; and
- We are looking for common problems such as data verification.
range
The first audit was performed for the commit. 357593f And the range is as follows:
contracts/Automation.solcontracts/ConnectorRegistry.solcontracts/NftSettingsRegistry.solcontracts/PositionSettingsRegistry.solcontracts/Sickle.solcontracts/SickleFactory.solcontracts/SickleRegistry.solcontracts/governance/SickleMultisig.solcontracts/libraries/FeesLib.solcontracts/libraries/NftSettingsLib.solcontracts/libraries/NftTransferLib.solcontracts/libraries/PositionSettingsLib.solcontracts/libraries/SwapLib.solcontracts/libraries/TransferLib.sol
For completeness, we had to review the following parent contracts.
base/Admin.solbase/Multicall.solbase/NonDelegateMulticall.solbase/SickleStorage.solbase/TimelockAdmin.sol
The revision review was performed in a given commit. 1c20e7e.
Security discovery classification is determined by two grades. influence and What can be. This two -dimensional classification helps to clarify the seriousness of individual problems. The problem to be evaluated middle It is severe, but the possibility of being found only by the team is generally reduced according to the possibility. wAnnings or menFormational Severe rating.
Our review results have emerged 31 resultsIt ranges from information to seriousness. The most serious discovery H1 allows administrators (malignant or damage) to drain all user wallets. Intermediate severity problem M1 can be executed in full execution. setReferralCode function. Most of the results are warnings that refer to a variety of omissions, code quality issues and exemplary cases.
The second security review was limited to the problems found in the first security review, and no other code change was not appreciated. Twenty problems were solved, three problems were partially fixed, seven problems were recognized, and H1 was invalidated by VFAT. Read more information in the entire audit report linked to the end of the article.
Threshold
There was no important serious problem.
The severity is high
H1: White list callers can perform delegateCall in all humility.
Intermediate
M1: Recommended code setter can be a front run run
Low severity
L1: Non -contract registration agencies can go back
Significance of warning
W1: Incomplete data verification for NFT location
W2: Duplicate bottle search
W3: Potential underflow or overflow of tic range calculation
W4: Variable Shadow
W5: Insufficient data verification PositionSettingsRegistry contract
W6: Incorrect price calculations in POSITSETTINGSREGISTRY
W7: Incorrect use of initialization
W8: Variable name rules
W9: Step 1 ownership transfer
W10: Featokens’ duplicate tokens can lead to inconsistent fee calculations.
W11: ETH and WETH’s inconsistent handling over the Feeslib contract
W12: ambiguous handling of basic value in Swaplib contract
W13: Inheritance with misunderstanding
W14: Input array length validation verification
W15: There is no data verification in the addition and update of the registry
W16: The zero address verification has been missing
Information seriousness
I1: Duplicate Code
I2: Use of magic constant
i3: Definition of unified storage variables
I4: duplicate storage variable
i5: mapping isCustomRegistry Duplicate
I6: Unconsistent functional name rules
i7: Error in the printing of the functional commentary
i8: Odo error name
I9: Unused errors
I10: Duplicate function
I11: Duplicate registry validation has been missing
i12: Error of Document
Trust model
This protocol must trust the manager who controls important parameters (fare, white list, connector update) and automatically running the task on behalf of himself. The user maintains the centralized control point while the user controls the Nat instance and the location settings. Trust risks are partially relaxed through hard -coded limits and multi -IG requirements. However, users must accept the risk of centralized control and potential trading manipulation of automatic devices that can control transaction timing.
conclusion
AcKee Blockchain Security recommends VFAT.
- Set off chain monitoring for the following purposes M1 find; and
- Solve all other reports.
You can find the entire VFAT SICKLE audit report of AcKee Blockchain Security. here.
We are pleased to thank VFAT and expect to work again.